Tiny Core Extensions > TCE Q&A Forum

TCL 15.0 64bit... How to start and use Firewalld? (ie. How to set up Firewall?)

<< < (2/2)

lizardidi:

--- Quote from: GNUser on November 12, 2024, 12:28:03 PM ---
--- Quote from: lizardidi on November 12, 2024, 12:59:26 AM ---I would happily accept any other suggestions, other than firewalld, if there's other. A search for UFW in repo return negative result.

--- End quote ---
Hi lizardidi. I'm sure iptables.tcz is available in every TCL version. 64-bit repo also has nftables.tcz. I personally use nftables for firewall and am very happy with it.

--- End quote ---

Thanks @GNUser!!!
Last week I tried iptables.tcz. Can I verify few important information:

After I tce-load -wi iptables.tcz (ie. load iptables on every boot), do I need to key in any command to start or activate the iptables rules?

When type "sudo iptables -L", I can see by default it applied a set of rules. Is this sufficient, or the correct way to setup a basic firewall?
Below are the command I typed:

--- Quote ---sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
--- End quote ---

Below are my iptables output:

--- Quote ---tc@box:~$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES       TABLISHED
ACCEPT     all  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-re       set
REJECT     udp  --  anywhere             anywhere             reject-with icmp-p       ort-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-p       roto-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
--- End quote ---

Do I need to add these into /opt/bootlocal.sh to so they run on every boot?

Rich:
Hi lizardidi
The 32 bit version of iptables includes a basic-firewall script
which for some reason was not included in the 64 bit version.

I've attached a copy. Maybe it will serve your needs, or you
could adapt it to meet your needs.

Save it to /usr/local/sbin/.
Then:

--- Code: ---sudo chmod 755 /usr/local/sbin/basic-firewall
echo usr/local/sbin/basic-firewall >> /opt/.filetool.lst
filetool.sh -b
--- End code ---

Those 3 steps:
1. Made the script executable.
2. Added the script to your backup list.
3. Backed up the script.

If you edit the script, run:

--- Code: ---filetool.sh -b
--- End code ---
so your changes survive when you reboot.

lizardidi:
Thanks @Rich!

Replace my iptable rules with the basic-firewall script, since both ChatGpt and Microsoft Copilot Ai agreed that the "basic" firewall will provide a solid protection for basic usage.  ;D ;D ;D

Navigation

[0] Message Index

[*] Previous page

Go to full version